All of the release distribution packages have been digitally signed
(using PGP or GPG) by the Apache Group members that constructed them.
There will be an accompanying distribution.asc file
in the same directory as the distribution. The PGP keys can be found
at the MIT key repository and within
this project's KEYS file.

Always use the signature files to verify the authenticity
of the distribution, e.g.:

We offer MD5 hashes as an alternative to validate the integrity
of the downloaded files. A unix program called md5 or
md5sum is included in many unix distributions. It is
also available as part of GNU Core Utilities package.